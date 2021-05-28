Same threat actor as the one behind last year’s SolarWinds attack.

The threat actor behind last year’s major SolarWinds hack has led a new targeted campaign spanning nearly 3,000 emails.

The threat actor Nobelium has this time gone after more than 150 organisations, encompassing government agencies, think tanks, consultants and non-governmental organisations.

Although the United States received the largest share of attacks, targeted victims span at least 24 countries, according to Microsoft.

“These attacks appear to be a continuation of multiple efforts by Nobelium to target government agencies involved in foreign policy as part of intelligence gathering efforts,” said Tom Burt, Microsoft’s corporate vice president of customer security and trust.

According to Burt, hackers accessed the Constant Contact account of USAID, the service used for email marketing.

From there, Nobelium distributed phishing emails that, when clicked, inserted a malicious file used to distribute a backdoor called NativeZone.

“This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network,” Burt said.

According to Microsoft, “many” of the attacks were blocked by Windows Defender, but Burt called the attacks notable for three reasons.

“First, when coupled with the attack on SolarWinds, it’s clear that part of Nobelium’s playbook is to gain access to trusted technology providers and infect their customers,” Burt wrote.

“By piggybacking on software updates and now mass email providers, Nobelium increases the chances of collateral damage in espionage operations and undermines trust in the technology ecosystem.

“Second, perhaps unsurprisingly, Nobelium’s activities and that of similar actors tend to track with issues of concern to the country from which they are operating. This time Nobelium targeted many humanitarian and human rights organisations.”

The third reason, Burt said, is the continued acceleration of nation-state cyber attacks. “We need clear rules governing nation-state conduct in cyberspace and clear expectations of the consequences for violation of those rules,” he added.